Which apps as affected?
It’s used in many OS X and iOS applications including:
Some popular applications that do not use ImageIO include:
The bug is a simple Null Point Reference in PNG parsing (more technical info on Lander Brandt article):
What’s happening here is:
- libpng hits an unknown chunk
- The custom chunk callback is called
- Apple’s own internal method which returns a pointer to the chunk returns null since there’s no data
- There’s no check on the chunk pointer returned
What is the impact?
This bug can be triggered any time a PNG file is being processed. So really, anything that processes the image can be caused to crash.
- Receiving the malicious image via text message with message previews turned on will crash SpringBoard on iOS
- Entering a message thread containing the image will crash the messages app
- Opening an email containing the image will crash the mail client
- Posting a link to the image will crash some third-party Twitter clients which try to load the image
- Visiting a page containing the image will crash Safari’s content renderer
The bug was reported to Apple in Dec 16, 2015, and in Mar 22, 2016 the fix was notified as ‘in progress’.